Third-Party Risk Management – Part 1: Contract Extension
I am pleased to welcome Cristina Muehl as a guest contributor. Cristina has provided a two-part series on third-party risk management relating to contract extensions and contract termination. Cristina is a Senior Corporate Auditor at Delphi Corporation. Her Linked In profile is here. She can be reached at [email protected]
Risk Management is a constant theme for top management as it might make the difference between a successful move and failure. It implies identification, assessment and prioritization of risks.
One area of constant concern is related to third-party business relations. They are complicated; each contract has a different set up and has to be audited in the light of contract clauses and services provided.
A study performed by Crowe Horwath LLP and The Institute of Internal Auditors Research Foundation in 2013 titled ‘Closing the Gaps in Third-Party Risk Management’ noted that ‘65% of the internal audit executives who responded to the survey described their organizations’ reliance on third parties as either “significant” or “extensive.” An overwhelming majority (82%) said they devote less than 20% of their internal audit resources to assessing third-party risks.’
The results are surprising as there is an increasing trend to rely more and more on third-parties to supply services and goods.
A simplified standard lifecycle of a third-party business relation has 4 stages: contract set up, renewal (contract prolonged on the same basis), extension (additional services/ products are added to the existent contract) and termination. Contract initiation and contract renewal are widely covered in articles regarding best practices and items to be considered. This article is the first of a series of two covering the other two sections: contract extension and contract termination. The purpose of these posts is to provide info on why they are extremely important to be addressed and provide a list of topics that can be taken into account at each stage.
In a lot of cases, entities tend to perform a short version due-diligence at the moment of contract extension by looking at the third-party relation and basing the decision on past experiences. This is indeed helpful and provides a certain level of assurance. The true question is what should be done in the case the contract is not about to expire, on the contrary, the entity decides to extent the level of services that the third party is providing? This is the moment when a thorough due diligence is required to ensure that risks are well identified and assessed.
The starting point has to be ensuring that the extension of services is indeed in the best interest of the company and that is well documented and made on solid business grounds. The main risk here is that fraudulent activity may be covered underneath the extension of services on a long standing business relationship. This leads to the necessity that the assessment is done by an independent party. It can be either from within the organization or an external assessor. In this way any familiarity threats that the third party sponsor might be facing are avoided or even worse the risk of collusion to gain unlawful resources from the entity will be dramatically reduced.
In the same time, the extension of services will impact other areas of the business as well, hence making it more important that a proper due-diligence is conducted to provide assurance and valuable information to the new stakeholders.
As in any due diligence, at this stage there are several questions to be addressed. A sample of them is stated below:
- Are the services truly needed / should they be outsourced to the extent defined?
- Are the additional services / products at the market rate? The scope should be to ensure that the extension is a sound business decision in terms of cost. The decision to extend the range of services or products should not be based on aiming a very low number of third-parties and missing on opportunities of cost saving.
- Is the quality at the desired level? It might be the lowest price, but does that mean that the quality has to suffer?
- Can the past experience provide proven track of proper business behavior? The third-party might put together a tempting offer financially wise, but it should be clear that there are no hidden costs or subsequent price increases
- What is the total exposure to the third-party? Over-reliance on one party might lead to increase level of risk in case of financial trouble. In the same time, a valid question is whether the third-party business is dependent on the current business relation.
- Are there any reputational risks associated with widening the business relationship? Is the third-party obtaining the new range of products from activities that are regarded as departing from the best business practices?
Contract extension should be assessed in the wider context of risks and rewards associated with increasing the reliance on the third-party. Proper documentation should be maintained to ensure that in case of any investigation the business relationship can be justified and that transparency of decisions can be provided.